Wk 5 - Apply: Summative Assessment: Backup Policies
University of Phoenix
CYB/110
A Trojan is malware that disguises itself as a legitimate application. A Trojan horse payload is
typically a backdoor that allows attackers to gain access to the infected computer. Trojans also
give cybercriminals access to sensitive, confidential information of a user, such as IP addresses,
passwords, and banking details. Oftentimes, Trojans are delivered via email attachments, drive-
by downloads, and/or posing as a legitimate application with hidden, malicious code embedded.
Once executed, Trojans deliver their payload and find ways to spread.
Preparation
Decide who should be members of the Cybersecurity Incident Response Team (CSIRT).
o Vulnerability Manager, Threat Manager, Risk Manager.
o CSIRT core members should be comprised of cybersecurity personnel.
o Assign roles and responsibilities to every member.
Determine Extended CSIRT Team members and Define Roles.
o Executive Lead, Professional Services Lead, Response Support (Legal, Public
Relations, Compliance, etc.).
Define escalation paths.
o Incidents may start as lower impact/severity ratings and then increase as more
information is gathered. Establishing an escalation path is critical.
Evaluate and secure critical system backups.
o Backups should be created, maintained, and secured before any incidents occur.
o During the initial stages of any incident, verify that backups are secure and not
impacted by the incident.
Detection
Define Threat Indicators
o Unknown or unexpected services and applications configured to launch
automatically upon system boot.
, o Unknown or unexpected outgoing internet traffic.
o Anti-virus programs malfunctioning or becoming disabled for unknown reasons.
o Degraded processing capability (increased CPU utilization).
Isolate infected systems ASAP.
o DO NOT power off machines, as forensic artifacts could be lost.
o Preserve the system(s) for further forensic investigation, reviewing system logs
and performing deep scans for malware.
These steps should be performed to guide the investigation.
Investigate malware to see if it is running with a user accounts credentials.
o If so, disable the user account(s) until the investigation is complete.
Analyze the malware to determine how to contain the outbreak.
o If available, use a sandboxed malware analysis system to perform analysis.
University of Phoenix
CYB/110
A Trojan is malware that disguises itself as a legitimate application. A Trojan horse payload is
typically a backdoor that allows attackers to gain access to the infected computer. Trojans also
give cybercriminals access to sensitive, confidential information of a user, such as IP addresses,
passwords, and banking details. Oftentimes, Trojans are delivered via email attachments, drive-
by downloads, and/or posing as a legitimate application with hidden, malicious code embedded.
Once executed, Trojans deliver their payload and find ways to spread.
Preparation
Decide who should be members of the Cybersecurity Incident Response Team (CSIRT).
o Vulnerability Manager, Threat Manager, Risk Manager.
o CSIRT core members should be comprised of cybersecurity personnel.
o Assign roles and responsibilities to every member.
Determine Extended CSIRT Team members and Define Roles.
o Executive Lead, Professional Services Lead, Response Support (Legal, Public
Relations, Compliance, etc.).
Define escalation paths.
o Incidents may start as lower impact/severity ratings and then increase as more
information is gathered. Establishing an escalation path is critical.
Evaluate and secure critical system backups.
o Backups should be created, maintained, and secured before any incidents occur.
o During the initial stages of any incident, verify that backups are secure and not
impacted by the incident.
Detection
Define Threat Indicators
o Unknown or unexpected services and applications configured to launch
automatically upon system boot.
, o Unknown or unexpected outgoing internet traffic.
o Anti-virus programs malfunctioning or becoming disabled for unknown reasons.
o Degraded processing capability (increased CPU utilization).
Isolate infected systems ASAP.
o DO NOT power off machines, as forensic artifacts could be lost.
o Preserve the system(s) for further forensic investigation, reviewing system logs
and performing deep scans for malware.
These steps should be performed to guide the investigation.
Investigate malware to see if it is running with a user accounts credentials.
o If so, disable the user account(s) until the investigation is complete.
Analyze the malware to determine how to contain the outbreak.
o If available, use a sandboxed malware analysis system to perform analysis.
